
August 28, 2019 

MuckRock News 
DEPT MR 74467 
411A Highland Ave 
Somerville, MA 02144-2516 


Milwaukee Police Department 

Police Administration Building 
749 West State Street 
Milwaukee, Wisconsin 53233 
http://www.milwaukee.gov/police 

Alfonso Morales 

Chief of Police 

(414) 933-4444 


Dear Emma Best: 


This letter is in response to your public records request pursuant to the provisions of the Wisconsin Public Records Law (Wis 
Stat. § 19.31-39). In your letter dated May 30, 2019, you requested the following information: 

See attached request re: Anonymous + general hacktivists 2009-2018. 

The public policy in this state is to give the public the greatest amount of access to public records as possible. Wis. Stat. § 19.32 
The general presumption is that public records are open to the public unless there is a clear statutory or common law exception" 
If there is no clear statutory or common law exception the custodian must ‘‘decide whether the strong presumption favoring 
access and disclosure is overcome by some even stronger public policy favoring limited access or nondisclosure.” Hempel v. 
City of Baraboo, 2005 WI 120, 1[ 28 (citations omitted.) Notwithstanding the presumption of openness, the public’s right to 
access to public records is not absolute. Journal/Sentinel v. Aagerup, 145 Wis. 2d 818, 822 (Ct. App. 1988). 

At this time, your request is denied. 


“Documents mentioning or relating to Anonymous (the hacker movement/collective...) or hacktivisim (defined as hacking as a 
form of protest and/or activism) generated between 1 January 2009 and 1 January 2019... 

Your request also provided some specificity as to the types of records you wished the Milwaukee Police Department (“MPD”1 to 
search for. ’ 

Having now had a chance to estimate the sheer number of records that are potentially responsive to your request, 1 have 
determined that your request is excessively burdensome. 

Wisconsin courts have ruled that a public records request that is excessively burdensome can appropriately be denied under the 
provisions of Wis. Stat. § 19.35(1 )(h). Such a request can be denied when responding represents a burden far beyond that which 
may reasonably be required of a custodian of a public record. Schopper v. Gehling, 210 Wis. 2d 208 210 (Ct App 1997) The 
purpose of the limitation found under Wis. Stat. § 19.35(l)(h) is to “prevent a situation where a request unreasonably burdens a 
record custodian, requiring the custodian to spend excessive amounts of time and resources deciphering and responding to a 
request. State ex rel. Gehl v. Connors, 2007 WI App 238,1 17. A request should include sufficient specificity so the custodian 
does not have to guess at what a requester is seeking. Seifert v. School Dist. of Sheboygan Falls. 2007 WI Ann 207 f 42 305 
Wis. 2(1 582, 740 N. W. 2d 177. Compliance with the Public Records Law should not “so burden the records custodian that the 
normal functioning of the office would be severely impaired.” Schopper, 210 Wis. 2d at 213 

In this instance, our IT department, going through 10 years of e-mails, and using the search Anonymous, identified 2 249 
potentially responsive records. A search was also performed of the word “Anonymous” in MPD’s record management system- 
however the computer froze after hitting 4,000 results. It is likely that most of these records are unrelated to the hacked 
movement/collective that you have identified; however, there is no way to determine that without reviewing each record At a 
minimum, this is 6,249 records, many of which are multiple pages long, which would have to be reviewed to determine whether 
they are responsive to your request, and then, if so, potentially redacted. MPD would also have to review records other than e- 
mails and reports. You have also requested bulletins, warnings, alerts, records from the FBI, Homeland Security, or any other 
federal agency, and additional materials. Even removing the items you requested that are not “records,” as that term is defined in 
Wis. Stat. § 19.32(2), this is a monumental amount of material to go through. 

While responding to public records requests is an important function of this office, it is not this office’s only important function 
fu !y agree with the po icy of this state that government records are open to the public (subject to statutory, common law and 
public policy exceptions); however, the sheer scope of your request and the number of potentially responsive records that would 
have to be reviewed and potentially redacted makes your request unreasonable. Having to go through thousands, if not tens of 
thousands, of pages of potentially responsive records would unreasonably burden this office such that its normal functioning 
bu 0 rdensome eVer ^ lmpa ' red ' Consec i uentl - v ’ 1 am denying your request on the grounds that it is overly broad and unduly 

Please note that we also performed a search in our record management system for the term “hacktivism,” but no records were 
identified that included that search term. 


(I) Denial 


Pursuant to Wis. Stat. § 19.34(4)(b), the above determinations are subject to review by mandamus action under Wis. Stat. § 
19.37(1), or upon application to the Wisconsin Attorney General or the Milwaukee County Corporation Counsel. 

Sincerely, 


Sincerely, 


4 LFONSO MORALES 
CHIEF OF POLICE 



POLICE SERGEANT 
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Wisconsin Open Records Act Request: Anonymous + general hacktivists 2009- 
2018 (Milwaukee Police Department) 

74467-12952289@requests.muckrock.com 
Thu S/30/2019 2:06 PM 

To: Records, Open <mpdopenrecords@milwaukee.gov> 

Q| 1 attachments (482 KB) 

A-0010-NCCIC-BULLETIN.pdf; 


Milwaukee Police Department 
ORA Office 
P.O. Box 531 
Milwaukee, WI 53210 

May 30, 2019 

To Whom It May Concern: 

Pursuant to the Wisconsin Open Records Act, I hereby request the following records: 

Documents mentioning or relating to Anonymous (the hacker movement/collective, see 
below) or hacktivism (defined as hacking as a form of protest and/or activism) generated 
between 1 January 2009 and 1 January 2019, including but not limited to: 

* Internal reports, bulletins, warnings and alerts relating to Anonymous or hacktivism 

* Reports from the appropriate IT (Information Technology) or computer offices regarding 
possible cyber attacks by Anonymous or other hacktivists 

* Reports, bulletins, warnings and alerts sent to or received from either the Federal Bureau 
of Investigation, the Department of Homeland Security, any fusion center or federal agency 
relating to or mentioning Anonymous or hacktivism 

* Incident reports investigating possible hacking activity falling within the office's 
jurisdiction and allegedly carried out by members of Anonymous or other hacktivist groups 

* Materials generated as a result of any suspected or actual compromise, breach or 
"dox" (revealing of personal or private information) by Anonymous or other hacktivists 

Anonymous has been described by government agencies as a non-hierarchical hacktivist 
collective, Anonymous uses hacking (and arguably cracking) techniques to register political 
protest in campaigns known as "#ops.” Best known for their distributed denial of services 
(DDoS) attacks, past activities have included attacks against the Church of Scientology; Visa, 
Paypal, and others who withdrew their services from WikiLeaks' Julian Assange after that 
group began releasing war documents; #OpTunisia and others purporting to support the 
Arab Spring; and a campaign that brought down the website of the Westboro Baptist 
Church. #Ops are usually marked with the release of a video of a reader in a Guy Fawkes 

https://outlook.office365.eom/mail/mpdopenrecords@milwaukee.gov/inbox/id/AAQkADI... 5/31/2019 
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mask using a computer generated voice. See attached for additional background 
information. 

I am a member of the news media and request classification as such. I have previously 
written about the government and its activities, with some reaching over 100,000 readers. 

As such, as I have a reasonable expectation of publication and my editorial and writing skills 
are well* established. In addition, I discuss and comment on the files online and make them 
available through non-profits such as the Internet Archive and MuckRock, disseminating 
them to a large audience. While my research is not limited to this, a great deal of it, 
including this, focuses on the activities and attitudes of the government itself. As such, it is 
not necessary for me to demonstrate the relevance of this particular subject in advance. 

As my primary purpose is to inform about government activities by reporting on it and 
making the raw data available, I request that fees be waived. 

The requested documents will be made available to the general public, and this request is 
not being made for commercial purposes. 

In the event that there are fees, I would be grateful if you would inform me of the total 
charges in advance of fulfilling my request. I would prefer the request filled electronically, by 

e-mail attachment if available or CD-ROM if not. 

Thank you in advance for your anticipated cooperation in this matter. I look forward to 
receiving your response to this request within 10 business days. 

Sincerely, 

Emma Best 

Filed via MuckRock.com 

E-mail (Preferred): 74467-12952289@requests.muckrock.com 

Upload documents directly: https://accounts.muckrock.com/accounts/login/?next=https% 

3A%2F%2Fwww.muckrock.com%2Faccounts%2Flogin%2F%3Fnext%3D%252Faccounts% 

252Fagency_login%252Fmilwaukee-police-department-653%252Fanonymous-general- 

hacktivists-2009-2018-milwaukee-police-department-74467%252F%253Femail% 

253Dmpdopenrecords%252540milwaukee.gov&url_auth_token=AAAVzfaRyXCKHY6hk- 

qPhCrBLjc%3AlhWQNB%3AAzqNzs9nlDs71b3hT9t4IexKaAQ 

Is this email coming to the wrong contact? Something else wrong? Use the above link to let 
us know. 

For mailed responses, please address (see note): 

MuckRock News 
DEPT MR 74467 
411A Highland Ave 
Somerville, MA 02144-2516 

PLEASE NOTE: This request is not filed by a MuckRock staff member, but is being sent 
through MuckRock by the above in order to better track, share, and manage public records 


https://outlook.office 365 .eom/mail/mpdopenrecords@milwaukee.gov/inbox/id/AAQkADI... 5/31/2019 
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requests. Also note that improperly addressed (i.e, with the requester's name rather than 
"MuckRock News" and the department number) requests might be returned as 

undeliverabie. 


httn S -//o„tlook.office 365 .com/mail/mpdopenrecords@milwaukee.gov/inbox/id/AAQkADI... 
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NATIONAL CYBERSECURITY AND 
COMMUNICATIONS INTEGRATION CENTER 

BULLETIN 

A-0010-NCCIC -160020110719 


DIsTrIBUTION NOTOH^IA): THIS PRODUCT'S INTENDED FOR THE CV8ERSECUR1TY, CRITICAL 

INFRASTRUCTUR E and / OR key resources communi ty atlarge--_ - 

"ANONYMOUS" AND ASSOCIATED HACKER GROUPS CONTINUE TO BE 
SUCCESSFUL USING RUDIMENTARY EXPLOITS TO ATTACK PUBLIC AND 

PRIVATE ORGANIZATIONS_ 


EXECUTIVE SUMMARY 


mi Th i s Bulletin is being provided for your Executive Leadership, Operational Management and 
Security Adtn."trators situadonal awareness. The actors who make up the hacker group' Anonymo s 
and several likely related offshoots like "LulzSec", continue to harass public and private sector entities 
with rudimenta^ exploits and tactics, techniques, and procedures (TTPs) commonly associated with less 
skilled hackers referred to as "Script Kiddies" 1 . Members of Anonymous routinely claim to have an ove 
political agenda and have justified at least a portion of their exploits as retaliation for perceived soc.a 
injustices' 8 and 'freedom of speech' issues. Attacks by associated groups such as LulzSec have essent y 
been executed entirely for their and their associates' personal amusement, or in their own hacker jargon 

"for the lulz". 

(U) Anonymous insist they have no centralised operational leadership, which has been > ■ 

hurdle (or government and law enforcement entities attempting to curb their actions. Withi that being 

said we assess with high confidence that Anonymous and associated groups will continue to explon 

available web sewers, web sites, computer networks, and other digital information 

mediums for the foreseeable future. 

(U) So far. Anonymous has not demonstrated any capability to inflict 
damage to critical infrastructure, instead choosing to harass and 
embarrass its targets. However, some members of LulzSec have 
demonstrated moderately higher levels of skill and creativity, 
evidenced in attacks using combinations of methods and techniques 
to target multiple networks. To date, their attacks have largely 
resulted in the release of sensitive documents and personally 
identifiable information. These attacks have the potential to result 

in serious harm, particularly to Law Enforcement and other Federal, State and Local Govern ™ 
personnel who may be targeted as a result. Also, this assessment does not take into account 



1 Script Kiddie: Unskilled individuals who use icrMs o, programs developed by others to attack computer systems 
and networks and deface websites. 
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/ U i shou(d a cv ber attack occur, ensure backup and recovery procedures are in place and enabled. Be 
(U) sh °uld a cyber defensive plan that includes contact information for external 

Such P a plan may also include materials identifying who to contact at your Internet service provider 

or^fo^assistanee: the NCCIC, US-CERT, FBI Joint Terrorism Task Force, local FB, Field Office, applicable 
information Sharing Analysis Center (ISAC), and Sector Specific Agency. 

(U ) For the situational awareness of F/S/L/T/T and CIKR partners, below are URLs to the National and 
Cyber Threat Levels the NCCIC monitors. 

• National Terrorism Advisory System: http://www.dhs.gov/alerts 

• NCRAL: Contact NCCIC Watch & Warning (NCCIC@HQ.dhs.gov) 

• MS-ISAC: http://www.msisac.org/index.cfm 

• IT-ISAC: https://www.it-isac.org/ 

• ES-ISAC: http://www.esisac.com/ 

• FS-ISAC: http://www.fsisac.com/ 


ADDITIONAL INFORMATION 


(U) While the U.S. Government doesn't endorse a particular solution, identifying vendors with 
experience combating such an attack may reduce the time it takes to get assistance mitigating such an 
attack and restoring service or operations. Additionally, the US-CERT web page offers a wide variety of 
technical and non-technical information to make use of both before and after an incident. 

httn://www.us-cert.g ov/nav/t01/ 

(U) A variety of documents with information regarding defensive measures to combat a computer 
network attack are available at: 
httn://www.cert.org/tech tips/ 

,U] Many organizations can suffer financial less as a result of a cyber attack and may wish to pursue 
criminal or dvil charges against the intruder. For legal advice, we recommend that you consult with 
your legal counsel and law enforcement. 

(U) Data breaches which involve a monetary loss or include a financial nexus such as a compromise to 
your financial, credit or debit accounts, or personal information can be reported to the U.S. Secret 
Service for criminal investigation. For more information contact your local Secret Servrce Field Ofhce 

assistance. 

htto://www.secretservice.gov/ field offices.shtmi 

(U) U S persons and companies interested in pursuing an investigation of a cyber attack can con ^" t 
heir local S field office for guidance and information. For contact information for your local FBI field 
TfficeXse consult your loL telephone directory or see the FBI's contact informal web page. 

httD://www.fbi.go v/contactus.htm 
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(U) Non-U.S. entities may need to discuss malicious cyber activity with their local law enforcement 
agency to determine the appropriate steps that should be taken with regard to pursuing an 
investigation. 

(U) U.S. Federal Government Departments and Agencies should report cyber attacks and incidents to 
US-CERT. Non-U.S. F/S/L/T/T Government Departments and Agencies interested in determining the 
source of certain types of cyber attacks may require the cooperation of your internet service provider 
and the administrator of the attacked networks. Tracking an intruder this way may not always be 
possible. If you are interested in trying do to so, contact your service provider directly, as the US-CERT is 
not able to provide this type of assistance. We do encourage you to report your experiences, however. 
This helps the NCCIC and US-CERT understand the nature and scope of security incidents on the 
Internet, and we may be able to relate your report to other activity that has been reported to us. 


TERMS OF REFERENCE 


(U) Anonymous - {used as a mass noun) is an Internet meme originating 2003 on the imageboard 4chan, 
representing the concept of many online community users simultaneously existing as an anarchic, 
digitized global brain. It is also generally considered to be a blanket term for members of certain 
Internet subcultures, a way to refer to the actions of people in an environment where their actual 
identities are not known. 

(U) Lulz - often used to denote laughter at someone who is the victim of a prank, or a reason for 
performing an action. This variation is often used on the 'Oh Internet' wiki and '4chan' image boards. 

(U) Distributed Denial of Service (DDoS) - an attempt to make a computer resource unavailable to its 
intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it 
generally consists of the concerted efforts of person or persons to prevent an Internet site or service 
from functioning efficiently or at all, temporarily or indefinitely. 

(U) Hacktivist - a portmanteau of hack and activism. 


POINTS OF CONTACT 


(U) This was produced as a collaborative effort between the NCCIC Components and Functional Groups 
(US-CERT, ICS-CERT, NCS/NCC, l&A/GSD/CTAB). 

(U) Please direct questions to the NCCIC Duty Officer (NDO). NCCIC will continue to coordinate with the 
appropriate component organizations listed below: 


NCCIC Duty Officer 

NCCIC@HQ.dhs.gov 
(703) 235-8831 


US-CERT 

SWO@US-CERT.gov 

{703)235-8832/8833 


NCS/NCC 
NCS@HQ.dhs.gov 
(703)235-5080 


ICS-CERT 

ICS-CERT-SOC@dhs.gov 
(877) 776-7585 
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uter network defenders the opportunity to pro-actively supplement their computer network 
deposes and provide awareness to management, employees, and partners. For example, cybersecurity 
experts who have analyzed previous Anonymous attacks have noted there was a significant amount of 
reconnaissance prior to the attack. Other cybersecurity experts have recommended that public and 
private sector entities go through the same steps hackers would to determine the extent of attack 
surface available to a malicious actor. An example of this might entail using internet search engines like 
Google (USPER) to identify sensitive information and computer network vulnerabilities that have been 
cached as they catalogue the content of the WWW. 


ANTICIPATED FUTURE TARGETS 


(U) Members of the group LulzSec were possibly associated with the 15 June 2011 DDOS attack on the 
Central Intelligence Agency's (CIA) public-facing website. Although no information was stolen or 
released to the public, and the website was not defaced, the site was targeted in a manner consistent 
with other LulzSec and Anonymous attacks. Anonymous also declared that the group was at "war with 
the Intelligence Community (1C) and has identified it as a future target. Anonymous is likely targeting 
the 1C because it views it as violating its core belief in total freedom of information. Additionally, 
following the release of government e-mail account data from the July 2011 Booz Allen compromise, an 
Anonymous operator stated on Twitter that, "We are working on two of the biggest releases for 
Anonymous in the last 4 years. Put your helmets on. It is war." 

(U) Anonymous has also stated its intent to target companies related to certain Critical Infrastructure / 
Key Resources sectors. On 12 July 2011, Anonymous released personally identifiable information of 
approximately 2500 employees of U.S. Agricultural Company Monsanto, and claimed to have taken 
down corporate web assets and mail servers. Additionally, in a separate statement on 12 July 2011, 
Anonymous declared their intention to attack several U.S., Canadian, and British companies, including 
Exxon Mobil and ConocoPhillips, who were associated with development of oil sands in Alberta, Canada. 

(U) Future attacks are likely to continue but will likely remain limited in scope due to a lack of advanced 
capabilities. These attacks are also likely to target the Federal government and critical infrastructure 
sectors, particularly in response to publicized events relating to civil liberties, cyber security, or 
allegations of censorship (online or otherwise). 


THE WAY AHEAD 


(U) Some members of LulzSec have demonstrated moderately higher levels of skill and creativity that 
include using combinations of methods and techniques to target multiple networks. This does not take 
into account the possibility of a higher-level actor providing LulzSec or Anonymous more advanced 
capabilities. Therefore, it may be advisable to adjust monitoring of both internal and external resources 
for indications of a pending or ongoing attack on cyber or telecommunications networks. 

(U) The NCCIC recommends that U.S., Federal/State/local/Tribal/Territorial Departments and Agencies, 
and private sector partners ensure they have processes in place to notify their leadership and network 
operators if their organization becomes a possible target by hacktivists or other malicious actors, and 
what notifications they are required or plan to make in the event of an attack. 
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with the Bit Torrent 4 site The Pirate Bay, set up a pro-Iranian Green Party website where internet users 
could voice support for Iranians who were protesting the election results. In 2009 and early 2010 
(respectively), Anonymous also conducted DDOS attacks targeting the Governments of Germany and 

Australia. 

(U) Anonymous increased its notoriety in 2010 with high-profile attacks motivated by the arrest of U.S. 
Army Private Bradley Manning in connection to Wikiieaks, releasing several thousand classified U.S. 
government documents on the internet. Though Anonymous's past actions indicate these cyber attacks 
should have been motivated by Anonymous's views on freedom of speech, their public statements 
indicated that the intent was to retaliate against mistreatment of Pvt. Manning while he was in U.S. 

custody. 

(U) Anonymous' activities increased throughout 2011 with a number of high-profile attacks targeting 
both public and private sector entities. Several of these attacks utilized DDoS as their primary tool, 
while others relied on cross-site scripting exploits to conduct website defacements. Interestingly, 
Anonymous justified nearly all of their attacks conducted between 2010 and 2011 by citing social or 
political injustices by each victim organization. 

(U) In 2011, a group of relatively more talented individuals spun off from Anonymous to form the 
hacker group "LulzSec," to which has been attributed several high profile exploitation/attack incidents 
involving public and private sector organizations. Though LulzSec initially 
claimed to operate independently of Anonymous, it became clear that the 
level of coordination between the two groups was greater than initially 
thought. Upon completing what they termed a "voyage" of hacking for a 
period of time, it is confirmed that a small cohort of LulzSec returned to 
Anonymous. 

TACTICS, TECHNIQUES, AND PROCEDURES 

(U) Anonymous utilizes the internet to recruit and train new personnel, 
conduct reconnaissance on potential targets, exploit vulnerabilities found in information systems, deny 
access to resources, alter information presented by organizations, and steal sensitive information. 

Though the TTPs and tools employed by Anonymous are commonly thought to be rudimentary and 
unsophisticated, their success to date executing operations and gaining media attention is on par with 
high profile incidents allegedly involving sophisticated "Advanced Persistent Threat" (APT) actors. They 
have relied on taking advantage of weaknesses in applications, thus allowing them to bypass, at least 
initially, conventional network defenses such as firewalls and anti-virus applications to access sensitive 
data. Additionally, Anonymous and closely associated groups appear to be building upon recent 
successes by conducting highly visible messaging campaigns over publicly available social media forums 
such as Twitter (USPER) , YouTube (USPER| , and Facebook |USPER) . 

(U) Anonymous and associated groups pride themselves on being 'social media' savvy, and routinely use 
forums such as Twitter, Facebook, and public web pages to announce intended targets, ongoing attack 
results, and post files stolen from victim computer networks. These announcements can provide 



4 Bit Torrent: A Peer-to-Peer File Sharing Protocol. 
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